⚠️BIP143 HW Wallet attack explained ⚠️
1/ Read this if you are confused how the recent BIP143 bug allows attackers to steal your #Bitcoin. The attack is very real and not just for miners. Everyday users should be very careful and upgrade their HWW firmware when available. 👇
1/ Read this if you are confused how the recent BIP143 bug allows attackers to steal your #Bitcoin. The attack is very real and not just for miners. Everyday users should be very careful and upgrade their HWW firmware when available. 👇
2/ BIP143-SegwitV0 provides a different way to sign tx inputs. It requires sending much less data to the HWW to sign. Changing anything signed makes the input and tx invalid. Each tx input gets its own signature that commits to all input and output hashes.
3/ The PSBT creator (or similar method) includes the txid+output index for each input (these are your UTXOs). The creator also includes the amount of each UTXO and the amount of the new output(s). Key point, each input gets its own signature.
4/ HWWs shows the user the output addresses and output amounts to confirm. Also shows the user the fee by subtracting the out amounts from input amounts. But you don't know which inputs are used nor would this help most users.
5/ 🦟Now for the attack🦟
Attacker needs ability to see all or some of your UTXOs and modify PSBT data (or similar) sent to HWW.
1. You want to move 10BTC to an exchange
2. You have 2 UTXOs of 6 (utxo_1) and 4.0001 (utxo_2) selected by your PC full node
...
Attacker needs ability to see all or some of your UTXOs and modify PSBT data (or similar) sent to HWW.
1. You want to move 10BTC to an exchange
2. You have 2 UTXOs of 6 (utxo_1) and 4.0001 (utxo_2) selected by your PC full node
...
6/
3. Attacker sees you have utxo_3 of 9BTC.
4. He replaces utxo_2 with utxo_3 but does not change the amount in the PSBT
5. HWW asks you to sign. Outputs and fee look fine so u click ok
6. HWW generates sigs for utxo_1 and utxo_3
7. If broadcast to network tx would be invalid
3. Attacker sees you have utxo_3 of 9BTC.
4. He replaces utxo_2 with utxo_3 but does not change the amount in the PSBT
5. HWW asks you to sign. Outputs and fee look fine so u click ok
6. HWW generates sigs for utxo_1 and utxo_3
7. If broadcast to network tx would be invalid
7/
8. utxo_1 sig is good, but utxo_3 sig is bad. So at this point no harm done
9. But your tx failed so you try again
10. Now attacker modifies PSBT so that utxo_3 is 9btc (valid) but changes utxo_1 value to 1.0001 (lie)
11. HWW shown output addr, amount, fee show normally
8. utxo_1 sig is good, but utxo_3 sig is bad. So at this point no harm done
9. But your tx failed so you try again
10. Now attacker modifies PSBT so that utxo_3 is 9btc (valid) but changes utxo_1 value to 1.0001 (lie)
11. HWW shown output addr, amount, fee show normally
8/
12. You sign but again tx is broadcast and is still invalid because utxo_1 sig is bad this time
13. But now attacker can take the good utxo_1 sig from first pass and add the good utxo_3 sig from second pass to make a new signed tx of 9+6 BTC with output of 10 so fee of 5BTC!
12. You sign but again tx is broadcast and is still invalid because utxo_1 sig is bad this time
13. But now attacker can take the good utxo_1 sig from first pass and add the good utxo_3 sig from second pass to make a new signed tx of 9+6 BTC with output of 10 so fee of 5BTC!
9/ Many said this is not that bad because you have to mine this tx to collect the money, WRONG! Also I thought of some more that make it worse too.
10/ The attacker could run the attack selecting coins not normally chosen. Then when the user tries a 3rd time attacker allows the tx to go through normally but with different utxos say utxo_4 and 5. Attacker then has time to ransom the high fee tx to a miner, weeks maybe months
11/ The user may never be able to identify what even happened. 10 more BTC show up on their exchange a month later but burned 5 BTC to attack and miner.
Attack can be repeated until successful cause user does know anything is wrong other than once a month some txs fail
Scary!
Attack can be repeated until successful cause user does know anything is wrong other than once a month some txs fail
Scary!
